• When a wellness program is connected to a group health plan, employers must follow HIPAA privacy and security regulations.

HIPAA’s privacy and security rules protect an individual’s health information. The privacy rule addresses how a covered entity may use and disclose this information. When an organization is covered by HIPAA, it must put safeguards in place to make sure an individual’s health information is protected.

HIPAA places restrictions on the circumstances under which a group health plan may allow an employer/plan sponsor access to personal health information (PHI), including PHI about participants in a wellness program offered through the plan, without the written authorization of the individual.

An employer may obtain a summary of health information relating to individuals in the program. This summary of information does not identify individuals, so it does not violate employee privacy. An employer may use this summary to modify a wellness program to better address employee needs and decide which to health and well-being issues to emphasize.

In some cases, an employer may need to perform administrative functions for a wellness program. These functions may require access to personal health information (PHI). When this is the case, HIPAA privacy and security regulations must be followed.